diff --git a/playbooks/web.yml b/playbooks/web.yml
index 3c97276..465d113 100755
--- a/playbooks/web.yml
+++ b/playbooks/web.yml
@@ -136,28 +136,82 @@
     - role: certbot
       tags: [ web, certbot ]
 - hosts: web2.desu.ltd
-  vars_files:
-    - vars/apache.yml
-    - vars/desultd-pleroma.yml
-    - vars/desultd-pleroma-apache.yml
-    - vars/desultd-pleroma-certbot.yml
+  tasks:
+    - name: ensure docker network
+      docker_network: name=web
+      tags: [ docker ]
+    - name: ensure docker nginx config
+      copy:
+        dest: /data/nginx-certbot/user_conf.d/vhosts.conf
+        mode: "0750"
+        content: |
+          server {
+            listen 443 ssl default_server;
+            server_name cowfee.moe;
+            ssl_certificate /etc/letsencrypt/live/cowfee.moe/fullchain.pem;
+            ssl_certificate_key /etc/letsencrypt/live/cowfee.moe/privkey.pem;
+            ssl_trusted_certificate /etc/letsencrypt/live/cowfee.moe/chain.pem;
+            ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
+            location / {
+              proxy_set_header Host $host;
+              proxy_set_header X-Real-IP $remote_addr;
+              proxy_pass http://pleroma:4000;
+            }
+          }
+      tags: [ docker, ingress ]
+    - name: docker deploy nginx proxy
+      docker_container:
+        name: ingress
+        state: started
+        image: jonasal/nginx-certbot:2.2.0
+        restart_policy: unless-stopped
+        pull: yes
+        env:
+          TZ: "America/Chicago"
+          CERTBOT_EMAIL: rehashedsalt@cock.li
+        networks:
+          - name: web
+            aliases: [ "ingress" ]
+        ports:
+          - "443:443"
+          - "80:80"
+        volumes:
+          - /data/nginx-certbot/letsencrypt:/etc/letsencrypt
+          - /data/nginx-certbot/user_conf.d:/etc/nginx/user_conf.d:ro
+      tags: [ docker, ingress ]
+    - name: docker deploy pleroma
+      docker_container:
+        name: pleroma
+        state: started
+        image: jordemort/pleroma
+        restart_policy: unless-stopped
+        pull: yes
+        env:
+          TZ: "America/Chicago"
+          POSTGRES_HOST: 192.168.164.156
+          POSTGRES_DB: pleroma_cowfee
+          POSTGRES_USER: pleroma-cowfee
+          POSTGRES_PASSWORD: "{{ secret_pleroma_9iron_db_pass }}"
+        networks:
+          - name: web
+            aliases: [ "pleroma" ]
+        ports:
+          - "4000:4000"
+        volumes:
+          - /data/pleroma/etc:/etc/pleroma
+          - /data/pleroma/static:/var/lib/pleroma/static
+          - /data/pleroma/uploads:/var/lib/pleroma/uploads
+      tags: [ docker, pleroma ]
   roles:
     - role: backup
       vars:
         backup_s3backup_list_extra:
-          - /opt/pleroma
-          - /var/lib/matrix-synapse
-          - /var/lib/pleroma
+          - /data
       tags: [ backup ]
     - role: motd
       vars:
         motd_watch_services_extra:
-          - apache2
-          - pleroma
+          - docker
       tags: [ motd ]
-    - role: pleroma
-      tags: [ web, pleroma ]
-    - role: apache
-      tags: [ web, apache ]
-    - role: certbot
-      tags: [ web, certbot ]
+    - role: docker
+      tags: [ web, docker, skip-pull ]